Password Cracking on

Steroids

• Core Developer for Backtrack

Linux

• Owner of Computer Rehab

• Co-Founder Question-Defense

• Security Enthusiast

Martin (purehate) Bos

[root@tools ~]# whoami

•Technology Consultant

Alex (dakykilla) Kah

[root@tools ~]# whoami

Disclaimer

• We do not crack passwords for a

living

• We do not claim to be experts

• We did not write Hashcat

• We have been known to be wrong

• We are just a couple geeks who

happen to get excited by

cracking password hash’s

Passwords are Important

•Primary user authentication

•Weakest link in a network

•Admin passwords

So whats new?

• GPU based passed word cracking

• More complex rule sets

• Pattern detection software

• Faster CPU processing with SSE2

• Distributed Cracking

• Online hashlookup web sites

What does this mean?

• Passwords that were once

considered secure are no

longer so

• Passwords that are hashed

with out being salted are

almost a joke

• Anything under 12 characters

is easily broken

Old School Attacks

Cain & Able

Old School Attacks

John the Ripper

Although John the Ripper

and Cain are still very

good password crackers

they lack many of the

combination, hybrid

attack and speed

characteristics of

Hashcat & Oclhashcat

If Those are Old School, Then

Whats New School?

Where Can I get the tools

used in this demo?

• http://hashcat.net/files/hashcat-

0.34.rar

• http://hashcat.net/files/hashcat-gui-

0.2.433.rar

• http://hashcat.net/files/oclHashcat-

0.23.rar

• http://hashcat.net/files/hashcat-

utils-0.1.rar

Since We only have a hour

it would be impossible to

show all the features of

Hashcat & Oclhashcat but we

are going to try to show a

few highlights

The Coolest Cat in Town…

• Free

• Multi-Threaded

• Multi-Hash

• Linux & Windows native binaries

• Fastest cpu-based multihash cracker

• SSE2 accelerated

• Rules mostly compatible with JTR and PasswordsPro

• Possible to resume or limit session

• Automatically recognizes recovered hashes from outfile at

startup

• Can automatically generate random rules for Hybrid-Attack

• Able to work in an distributed environment

• Specify multiple wordlists and also multiple directories of

wordlists

• Number of threads can be configured

• Threads run on lowest priority

Hashcat Features

Hashcat Supported Algorithms

• MD5

• md5($pass.$salt)

• md5($salt.$pass)

• md5(md5($pass))

• md5(md5(md5($pass)))

• md5(md5($pass).$salt)

• md5(md5($salt).$pass)

• md5($salt.md5($pass))

• md5($salt.$pass.$salt)

• md5(md5($salt).md5($pass))

• md5(md5($pass).md5($salt))

• md5($salt.md5($salt.$pass))

• md5($salt.md5($pass.$salt))

• md5($username.0.$pass)

• md5(strtoupper(md5($pass)))

• SHA1

• sha1($pass.$salt)

• sha1($salt.$pass)

• sha1(sha1($pass))

• sha1(sha1(sha1($pass)))

• sha1(strtolower($username).$pass)

• MySQL

• MySQL4.1/MySQL5

• MD5(Wordpress)

• MD5(phpBB3)

• MD5(Unix)

• SHA-1(Base64)

• SSHA-1(Base64)

• SHA-1(Django)

• MD4

• NTLM

• Domain Cached Credentials

• MD5(Chap)

• MSSQL

Gotta Have Some Stats

Hashcat Attacks

• Straight Words

• Combination Words

• Togglecase

• Permutation

• Brute force

Hashcat Rules Demo

Attack

hashcat-cli.exe -a 1

-r C:\tools\hashcat-0.34\rules\d3ad0ne.rule -

m 0

-o C:\tools\hashcat-0.34\cracked.txt

-n 2 C:\tools\hashcat-0.34\rockyou.txt

C:\tools\hashcat-0.34\big.lst

Hashcat Permutation

Demo Attack

hashcat-cli.exe -a 4 --perm-max 6 -m 0

-o C:\tools\hashcat-0.34\cracked.txt

-n 2 C:\tools\hashcat-0.34\rockyou.txt

C:\tools\hashcat-0.34\big.lst

Hashcat GUI

Some more Hashcat Speed

Tests….

• Free

• Multi-GPU

• Multi-Hash

• Linux & Windows native binaries

• Uses OpenCL

• Fastest multihash MD5 cracker on NVidia cards

• Fastest multihash MD5 cracker on ATI 5xxx cards

• Supports wordlists (not limited to Brute-Force / Mask-Attack)

• Can mix wordlists with Mask-Attack to emulate Hybrid-Attacks

• Runs very cautious, you can still watch movies while cracking

• Kernel workload can be configured while cracking

• Supports pause / resume

• Supports huge numbers of hashes (4 million and more)

• Able to work in a distributed environment

• Includes hashcats entire rule engine to modify wordlists on

start

Oclhashcat Features

Oclashcat Supported Algorithms

• MD5

• md5($pass.$salt)

• md5($salt.$pass)

• md5(md5($pass))

• md5(md5($pass).$salt)

• SHA1

• sha1($pass.$salt)

• sha1($salt.$pass)

• MySQL

• MySQL4.1/MySQL5

• MD4

• NTLM

• Domain Cached Credentials

More Stats…

Oclashcat Attacks

•Bruteforce

•Hybrid Masks

•Fingerprint

Character Sets Explained

?l = Lowercase

?u = Uppercase

?d = Digits

?s = Special Characters

You can specify more than one with -1

?l?u?d and the specify ?1 in the left

and right mask.

--custom-charset1= ?dabcdef

sets charset ?1 to 0123456789abcdef

Bruteforce example attack

oclHashcat64.bin md5.txt -m 0 -n 160 --gpu-

devices=1,2,3,4,5,6,7,8

--gpu-loops=1024 -1 ?l?d?s?u ?1?1?1?1 ?1?1

md5.txt = List of Hash’s to be cracked

-m = Type of hash

-n = Workload tuning

--gpu-devices = OCL devices to use

--gpu-loops = Workload fine-tuning if -n is not precise enough

?1?1?1?1 = Left mask

?1?1 = right mask

Lets do a quick demo

of the brute force

attack

Hybrid Example Attack

oclHashcat64.bin md5.txt -m 0 -n 160

--gpu-devices=1,2,3,4,5,6,7,8

--gpu-loops=1024

-1 ?l?d?s?u $DICT_FILE ?1?1

This attack will append a-z A-Z

0-9 and all special characters to the end

of every word in the dictionary

Lets do a quick demo

of the hybrid attack

Fingerprint

Attack• Fingerprinting is using common

patterns users use to create

passwords

• Common patterns like adding a 1

or a date to a password are no

longer safe so users are

creating more complex patterns

• Using a dictionary expander we

can create all the patterns

possible from a given wordlist

Basic analysis of

the attack

1. Bruteforce the list of hash’s with a simple 5 or

6 character attack which will give us a small

password list to begin with

2. Remove the hash portion of the list leaving us

with a small dictionary file

3. Run the dictionary file through the expander

4. Now we use Oclhashcat’s Combination engine with

our new dictionary file on the left mask and the

right mask which will increase our chances of

success even more.

5. This will give us a second set of cracked

passwords to work.

6. We now run that list through the expander and

then repeat the Combination attack

7. The attack can be repeated using these steps

until no more passwords are found.

Lets do a demo of the

fingerprint attack

Password fingerprinting

tips and tricks

• Fingerprinting attack is designed for

use with GPUs

• Fingerprint attacks can be automated

• You can use your own wordlists as well

• Be careful not use use huge wordlists

with the expander

• Build your own pattern dictionary

• Limit the lengths of the patterns

What’s The best Place to get a

Wordlist?

• http://www.skullsecurity.org/wiki

/index.php/Passwords

• http://hashcrack.blogspot.com/p/w

ordlist-downloads.html

This password crap sucks, I

hate doing it…

Let us do the work for you. We have a

online password cracking service at

tools.question-defense.com

Which supports

WPA,ntlm,md5,md4,sha1 and rar

We are currently adding more

algorithms and much more speed

What have we learned?

Treat your password

like your

toothbrush. Do not

let anyone else use

it and get a new one

every 6 months

Questions?